After the backdoor is launched, it creates an svchost.exe file in the Windows autorun folder, thus maintaining full control over the system every time the handheld is turned on. It then identifies the machine's IP address and sends it to the author, informing him that the device is on the Internet and the backdoor is active. Finally, Brador opens port 44299 and awaits further commands.
The program, written in ARM assembly language, is said to allow the master full control over the infected PDA via the port that it opens. Brador is programmed to upload and download files and execute a series of further commands. Like all backdoors, Brador cannot spread by itself; it can only arrive as an email attachment, be downloaded from the Internet, or uploaded along with other data from a desktop.
According to information obtained by Kaspersky Labs, Brador appears to have been written by a Russian virus coder. The Trojan was attached to an email with a Russian sender address and Russian text inside.
Interestingly, the author is offering to sell the client portion of the Trojan to all interested parties, which means there is a possibility that the backdoor may see commercial use, such as to send out junk email. "Virus writers are turning professional with a vengeance," says Kaspersky Labs.
Kaspersky Labs says it has already updated its antivirus databases with protection against Brador. A detailed description of Brador is available in the Kaspersky Labs
Virus Encyclopedia.
According to other sources, several proof of concept "malware programs" for ARM based devices were demonstrated this week at the Black Hat Briefings seminar in Las Vegas. These are said to include a keystroke logger, a virtual remote control application, and an FTP server that can be easily hidden from the user.
Related stories:
